Aligning Security Compliance and DevOps: A Longitudinal Study

TL;DR

This paper presents a longitudinal study on adapting DevOps practices to meet security compliance standards, specifically IEC 62443-4-1, to support secure and agile development in critical infrastructure contexts.

Contribution

It introduces RefA, a prescriptive security-compliant DevOps framework, and demonstrates its practical application and benefits through a detailed case study at Siemens AG.

Findings

RefA facilitates security compliance knowledge transfer to development teams.

The framework supports agile, compliant product development in critical infrastructure.

Practical insights for integrating security standards into DevOps processes.

Abstract

Companies adopt agile methodologies and DevOps to facilitate efficient development and deployment of software-intensive products. This, in turn, introduces challenges in relation to security standard compliance traditionally following a more linear workflow. This is especially a challenge for the engineering of products and services associated with critical infrastructures. To support companies in their transition towards DevOps, this paper presents an adaptation of DevOps according to security regulations and standards. We report on our longitudinal study at Siemens AG, consisting of several individual sub-studies in the inception, validation, and initial adoption of our framework based on RefA as well as the implications for practice. RefA is a prescriptive model of a security compliant DevOps lifecycle based on the IEC 62443-4-1 standard. The overall framework is aimed at professionals, not only security experts, being able to use it on implementing DevOps processes while remaining compliant with security norms. We demonstrate how RefA facilitates the transfer of security compliance knowledge to product development teams. This knowledge transfer supports the agility aim of ensuring that cross-functional teams have all the skills needed to deliver the compliant products.